CCleaner Malware was selective multi-stage attack, wipe recommended for those affected

Sure, just run Linux which MitM's all of your software.

>Piriform
Speccy has it too. Enjoy.

>The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

Anyone else feel like the whole world is becoming so complex that we're all screwed? It takes a team of PhDs to analyze 1 piece of malware and malware could be developed by another team of PhDs at the NSA / KGB. Think of how many programs you use on a day-to-day basis and think of how many millions of lines of code make up each program. Nobody is going to audit all that shit let alone understand it. It would take so many lifetimes to audit every piece of code you trust every day that it's an intractable problem. And it takes reading thousands of pages of manuals to master ONE domain of knowledge.

>Downloading malware just to list out your specs
Never understood this

You don't need to understand how your microwave or car functions to operate either. Programs are the same way.

The only people that are running 32bit in 2017 are morons and old people who would get worse fucked by a hack. Someone that would know to wipe their shit wouldn't have 32bit in the first place but if they did they would know to wipe their shit.

And you trust that your microwave is just a microwave and does what a microwave does because it says it does. Little do you know all microwaves produced since 1990 could have some microphone listening to all your conversations that uploads to a government database using a secret physical layer protocols developed at Area 51 designed so that normal computers will never detect that they're even being used.

No shit, I don't get it. I know every component installed by heart, I spent a lot of time picking each one specifically.

>the government is trying to steal my secret sauce recipe
Your tax dollars at work, folks.

Go on....

Mirowaves and cars aren't trusted to with our most sensitive data.

>2017
>still using windoze

Get a chromebook for your daily shit, literally immune to viruses, then get a mac to become normie, photoshop, AutoCAD.

Only autists keep putting up with microshills broken bloatware trash.

It's useful for selling computers on eBay or if you're working on someone else's computer and don't want to open the case to find the motherboard model to update the BIOS.

Last 40 times I just let windows maintain itself I ended up with corrupted graphics drivers, corrupted icon caches, corrupted user profiles, corrupted recycling bins, and corrupted start menus.

Just to confirm, 64-bit is still safe right?

yup

that sounds like a image issue not the OS. if you have tards building the image for the company chances are they use tons and tons of registry hacks to cover up their ineptitude or to feel like a "hacker"

No images here, just my md5-verified home edition.

Most mainstream software give you a headache by hiding their x64 installers - automatically most services provide you with a x32 installer on download.

Question is, is x64 infected? How can I tell?

why make a 32-bit only virus?

It's easier

But we trust cars with our lives?

>justifying running pajeetware because you're already stupid enough to run other sorts of pajeetware
When you layer stupidity on top of stupidity, it doesn't make you look smart.

Cars are. Nearly all new cars come with microphones (LOL BLUETUTH) and cellular radios built into cars are becoming more common (thanks Elon Musk, you fucking cunt.)

Your car could be broadcasting every private conversation you ever have in your car, and you'd never even know it.

Can’t tell if trolling or seriously that dumb.

I torrented CCleaner technician edition like a year or two ago and havent had any issues. Obviously I scanned with clamwin before installing too, and ive had no issues. I like occasionally cleaning cookies and internet history before I leave somewhere incase an other family member uses my pc and ccleaner does the job just fine for that

China's PLA unit 61398 decided that x86 would do the job for their operational purposes?

Idk why they targeted Slovakia as well, maybe they goofed and thought .sk was south korea, lol. Or maybe they're pissed at ESET.

Nothing, even reproducible builds, prevents FOSS from having update servers compromised to serve trojans.

Until Sourceforge went https:, the mirrors were a prime target (and were used operationally for this purpose by GCHQ's QUANTUMSKY, iirc).

Externally signed builds on top of secure connections might help (one or the other is not sufficient as rollback attacks are possible over http:, more fool Debian), although you are dealing with an attacker sufficiently determined that they may well steal the update keys.

>"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Told you fags, it was the CIA

I think that was the plan all along, trick people to thinking that it only infected 32-bit OS then got hooked into facebook akamai servers, samsung, micosoft, playstation accounts.

They won.

>Anyone else feel like the whole world is becoming so complex that we're all screwed?

H Y P E R N O R M A L I S A T I O N

serious question, how does one re-install if i upgraded from 7 for free when that was going on?

did malwarebytes make it so even if its a 64 bit version, it picks up trojans? because i just scanned and it picked up on a trojan from ccleaner but i haven't updated mine since august 3rd and it was the 64 bit one, i still removed it through malwarebytes and then uninstalled it/removed registry traces with geek uninstaller, am i okay Sup Forums?

CCleaner installs both 32bit and 64bit versions.

Malwarebytes probably found ccleaner.exe, and not ccleaner64.exe

32bit version is still executed on ALL 64bit machines at logon via CCleanerSkipUAC in TaskSchedueler.

Analysis by Telos/Avast said that if 32bit executable was run on 64bit OS it would skip the backdoor installation and run the normal 32bit CCleaner program.

Uncertain why they skipped over 64bit systems. Someone mentioned perhaps they couldn't get the 64bit executable signed, but why did 32bit program skip injection on 64bit systems?

Yeah it flagged the installer as malware. As long as you don't have the malicious registry keys, you're good.

thanks anons. malwarebytes did catch ccleaner.exe and not ccleaner63.exe, i removed it and then used geek uninstaller to uninstall ccleaner and its registry entries. i then checked with regedit and did not find anything in the piriform entry, no 'agomo' or anything. i should be good?

Also 5.34 is safe, but might be flagged by some AV programs.

Because it is signed with the same certificate as 5.33, and 5.33 certificate was just pulled because it's obviously infected.

If you still want to use CCleaner, get 5.35 portable version directly from Piriform. Should be safe.

CCleaner 5.35.6210 (64bit)

I would say with 99.9% confidence that you and myself as well, should be okay. As I had 5.33 installed on a 64bit system.

I've been scanning my system for the past few days and haven't found any evidence of anything, have been following very closely and reading all articles released by AV companies.

This attack on CCleaner was made by a well funded Chinese hacker group, probably even state funded.

It seems they were specifically targeting major companies to steal intellectual property.

Just in case I would recommend to change ip, if you have a dynamic ip. You can do that in your router by cloning a new Mac Address and restarting router. Many ISPs will issue a new one.

thanks for the info and help user, i will keep an eye on my machine for the next couple of days, i only found about this like 2 hours ago and did what i said a post or two above so i should be okay, but will keep checking.

I can't tell you how many times I've simply ran this thing on someone else's PC when they tell me they have software "problems" and it fixes them.

>Also 5.34 is safe, but might be flagged by some AV programs.
Just like how they said 5.33 is safe? No thank you.

>32bit version
>cloud version
whatever.

It remembers you. Maybe having microsoft account helps. I already did it (from USB flash), when my HDD fucked up. At worst, you will just have indefinitely not activated copy, that will just work.

>tfw ict teacher in my diploma class recommended i use CCleaner every now and then a few days before this shitfest happened
Glad i didn't.

The level of sophistication of this attack is insane.

Common sense is not applicable in this case, pretty much any program could have been infected this way. Look at the way the various parts come together, it took AV companies weeks to find any evidence of this and the attack maybe much older than thought, as far back as July. Only the sheer scale of the attack is what made it detectable.

Morphisec detected this type of attack on August 20th by the way, but took much longer to confirm and figure out the scope & sophistication of it.

The claim that CCleaner should not be used because it is more susceptible, is false, doesn't really matter as any popular Windows program could have been infected this way.

The claim that other OSes are not vulnerable, is false as well.

The claim that compiling your own programs from source would protect you 100%, is false as well, unless you can audit each piece of code. At this level of an attack, they could incorporate a few lines of legitimate code which appear to function normally but instead utilize other parts of the OS to make backdoors. A rolling release distribution could easily be hacked in this manner.

Most goverment pcs arent still being 32-bits? with CCleaner being such common software....seems weird

>mfw Windows 10 built-in Anti-Virus said that ccleaner533.exe was VIRUS

>The level of sophistication of this attack is insane.

who else but the CIA niggers

>your face when both 64 bit AND 32 bit had it, but only the 32 bit was detectable because they figured less computers were running it

We're all dead.

They probably couldn't get the 64bit signed.

Or that targeting 64bit would have made them detectable far sooner, as most Users use 64bit systems, while terminal systems and prebuilt dell systems that corporation use around might still be 32bit?

Whatever they planned to steal they already accomplished that task with the third payload that hasn't been analysed yet. They already stole everything from those big tech companies.

i hope Google got infected.

treacherous cunts

They did.
>"According to Talos, tech corporations including HTC, Samsung, Sony, VMWare, Intel, Microsoft, Cisco, Linksys, Google, MSI, and many others are included in the list of targets."

and they knew who specifically to target like Cisco

64bit executable didn't have it, 32bit did.

However default ccleaner installs both as I mentioned above, and runs 32bit via taskscheduler to skip user account control.

However stage2 did have another 64bit attack, but that was only attacking very specific systems. It doesn't seem that the stage2 64bit attack was used, at least in the last few days.

Interesting. Is there a way to tell if you're infected? Malwarebytes didn't pick up anything, and I don't think I ever upgraded to 5.33. Still, I can't recall it that well.

>The modified version, 5.33
>August 15 until September 12
>Check my version
>5.27 - 16 of June
tfw cbf updating things
did have an auto update? I think I ran it once.
How about speccy?

>Intel, Sony, Microsoft, Google
>not AMD

feels good man

i think that only the pro version of their products can auto-update.

the free version just directs you to their website to download a new update

windows can clean itself

all the software people install cant clean itself because of incompetent devs who put junk files everywhere except junk folders

This will make big news when China starts making various tech 5-10 years down the line. Like self-driving cars and everyone realizes that their approach is quite similar to Google or another company.

Research and development costs billions, China instead uses hackers and spends a few hundred million a year instead and gets the tech that they need.

I'm sure the budget of this attack was at least a few million, and the scope of it is far bigger than most realize.

Maybe we will find out that other software was affected as well in the coming weeks or months.

Unrelated but, FinFisher is being spread by ISPs in some cases to spy on people.

Re-directing downloads to infected executable for WhatsApp, Skype, Avast, WinRAR, VLC Player, among others.

welivesecurity.com/2017/09/21/new-finfisher-surveillance-campaigns/

Basically if you want to be safe, use the most obscure OS/software instead.

seconding this

This whole thing made me realize that Windtards are actually tards. Installing some stupid cleaning program (for pointless micro management), getting infected with that stupid cleaning program and then trying to fix it with more cleaning programs to clean up the mess the first cleaning program made.

>have 5.32 installed
>did a scan of my system and ESET picked up the 5.33 installer sitting in the updates folder
>mfw 64-bit

Sounds like your hard drive was dying. But sure, let's blame hardware problems on software, like a senile fuck.

>uploads
>1990
lol QUE

read:

That's why I've disabled the "Automatically check for updates" option on Day 1.
CCleaner v5.13.5460 x64 is working fine over here.

Good fucking dammit, how is an honest man supposed to jack off in the microwave now?

I'm running out of places to go.

This is only if you have the task scheduler enabled.
Standard startup on boot executes the 64-bit process

Continuous problems since I got it 3+ years ago, still working fine. The SMART data has never had anything to report. The RAM made it through multiple days of MemTest just fine as well. A few months ago I wiped the dual boot in favor of Linux and have never had any corruption issues under Linux. The fault is with Windows.

>get 5.35 portable version directly from Piriform
don't do this.
go back to the 5.32 version (the last good version before Avast bought Pirform)

Sure sounds like someone pissed off somebody fierce.

I was on 5.32, then I opened CCleaner about 2 days ago showing a new update available, so I did, but luckily it was already 5.34. Now I updated to 5.35, is this safe? I don't trust Piriform anymore but is there really a valid alternative?

I did it, reddit. Ama.

uninstall, run malwarebytes, find a 5.32 download. There is a serious chance that it could still be compromised in any version after 5.34

Makes sense. Would Malwarebytes be enough? Also as far as I can tell there's no weird process or service open and when I start CCleaner it runs for only 2-3 seconds because I open it via a /AUTO shortcut

It should be fine, but if you're paranoid, reinstall or run combofix. I actually don't know if combofix is still a thing people use though, so keep that in mind

>There is a serious chance that it could still be compromised in any version after 5.34
Of all things that could happen this is the least likely. If you don't like it because if Avast that's ok, but assuming they didn't drop a 500 pound shit in their pants and pick through 5.35 with a magnifying glass is just reaching. They don't want to get sued, releasing not one, not two, but three versions of software that contains a virus, two of which you released after the virus was public knowledge, is how you get sued out of business, if not arrested and accused of attempted state espionage.

Haven't used ComboFix in a while indeed. I guess I won't be reinstalling though, doesn't seem needed. I'll run Malwarebytes but I believe there shouldn't be anything wrong. Thanks for replying user

It's for showing off on Sup Forums. Simple as that.

>two of which you released after the virus was public knowledge
Was that an hypothetical scenario or did they actually release TWO infected versions?

Some how the "Chinese" hackers knew of this exploit at Piriform for who knows how long but why they chose to act during the first release of Avast's Ccleaner makes it so suspicious. Now all that shit doesn't matter anymore they literally unleashed some unknown malware payload stage 3 that no security firm understands its capabilities because its hidden itself from detection. We are talking about some matrix level hacker shit, this stage 3 has fooled all experts and detection systems whoever is doing deserves some credit.

Why do people keep this thing installed? Isn't it just a one-off run program?

Have you seen how sophisticated the actual virus is? I wouldn't be surprised if they compromised another part of the code with a different payload that hasn't been deployed yet. At least till it's verified by an independent audit, I won't be updating past 5.2

>2013
I'm safe, right?

>2017
>using the world's most popular and user friendly operating system
I seriously hope you guys don't do this.

Is it possible for one person to audit the entirety of their OS and software suites' code? (and that is considering the person is privy enough to audit in the first place)

So I'm safe?